Fulcrum Strategy is a ‘Community Effort’ to Boost DOD Cyber Foundation

The Defense Department is leveraging a new “community effort” to improve its cybersecurity posture across the entire enterprise. On Tuesday, the Pentagon unveiled Fulcrum: DoD Information Technology (IT) Advancement Strategy as the agency’s plan to improve its communications, command and control while preparing the military for the future.

Fulcrum’s four lines of effort are designed to prioritize “user experience and investment in infrastructure that is both agile and scalable to meet the dynamic requirements of operations and opportunities offered by the most modern technologies,” according to an agency statement.

The strategy consists of four lines of effort (LOE):  Provide Joint Warfighting IT Capabilities; Modernize Information Networks and Compute; Optimize IT Governance; and Cultivate a Premier Digital Workforce.

“It is called ‘Fulcrum’ because it sits at the nexus between our national security strategy, our strategic management plans, our really big thinking strategies, our workforce implementation strategies, our software modernization strategies, our cybersecurity strategies, and it gives you tangible steps to take to turn that strategic vision into an operational reality,” DOD Deputy CIO Leslie Beavers said during the AFCEA TechNet Cyber conference in Baltimore on Tuesday.

Beavers said that Fulcrum will come with an implementation plan at a later date. The first LOE centers around delivering “user-centric IT capabilities that are functional, scalable, sustainable and secure in today’s dynamic and contested global environments” that will improve the warfighter’s information-gathering and decision-making ability.

She added the Zero Trust Portfolio Management Office is leading the second LOE, which is centered around zero trust. She noted that it and the rest of the DOD’s IT cannot be solely responsible for managing zero trust across the agency.

“When I think about zero trust, that means we’re not just defending the perimeter. It’s tagging people, tagging the data, audit, audit, audit. We all have to be part of this security solution. Less than 10% of the workforce, the IT cybersecurity professionals, cannot defend the entire attack space, and we are all under threat,” Beavers said during the event.

Beavers called for specialization in building out security, saying “I think ‘one size fits all’ is never a good answer,” but also emphasizing that specialization still needs to be interoperable in today’s cybersecurity world.

Beavers called identity credential and asset management “foundational to our ability to know who’s on the network and trust each other and interoperate, not just within our joint forces, but within our partner nations.”

Beavers warned that growing pains might stem from Fulcrum, but called it a “cooperation problem, not a technology problem.” The OCIO is collaborating with entities like the CDAO, Army and DIU to experiment and try new innovative technologies.

“Our role within this space is to do pick-and-shovel work to enable the access to the data and integration, and they get to do the flashy tools piece,” Beavers said. “What I think we’re looking at within our cybersecurity division in particular is, how do we incorporate some of those tools into our insider threat or user activity, or just to elevate our ability to accomplish our cybersecurity mission without having to add more people.”